%SNMP-3-AUTHFAIL error message

Unanswered Question
Oct 30th, 2007
User Badges:

Hi,


Some of my Catalyst 2950G-48 switch have following error message :


Oct 30 16:03:15.470: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 172.16.6.250


172.16.6.250 is Ciscoworks 2000 server ( version 2.5.1 ). The community string setting at Catalyst 2950G-48 switch and Ciscoworks are correct. Can you please advise me to identify the problem?


Best Regards,


Jackson Ku

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
David Stanford Tue, 10/30/2007 - 06:01
User Badges:
  • Cisco Employee,

Does the community string configured in LMS CM match what is on your devices??


Check the file ANIServer.properties and see if UTGetVlansWithUserPortsIOS is set to 0 or 1?


jackson.ku Tue, 10/30/2007 - 18:02
User Badges:

Hi,


I exported device lists in Device and Credentials - Device Management and verified the snmp community string was correct. I also verified the snmp setting in Campus Manager, it also correct.


The UTGetVlansWithUserPortsIOS setting in ANIServer.properties files is 1.


Best Regards,


Jackson Ku

jschweng Thu, 11/01/2007 - 08:39
User Badges:

We are also seeing the same SNMP error. What is the signifance of "0" or "1"? What is the full directory path for checking the ANIServer.properties flle? Thanks.

Joe Clarke Thu, 11/01/2007 - 08:57
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The 0 will cause User Tracking to query inactive VLANs. This can cause authFail problems. There is another property, UTGetVlansOnDownPort, which when 1, can also cause authFail messages. Setting this property to 0 may resolve the problem.


However, ANIServer, as part of Data Collection, will also use indexed SNMP requests to query spanning tree configuration. The same problems that plague UT will also affect Data Collection. There are currently no ways to workaround the DC issues.


A sniffer trace of the packets causing the authFail problem will definitively identify whether the issue is with User Tracking acquisition or Data Collection.

jschweng Thu, 11/01/2007 - 14:04
User Badges:

Ok, I changed the UTGetVlansOnDownPort value to "0". I'll check the switch logs to see if the SNMP auth failure went away.

jackson.ku Thu, 11/01/2007 - 16:37
User Badges:

Hi,


I checked the timestamp of the %SNMP-3-AUTHFAIL error message, it generated at Data Collection. And I also found that only Catalyst 2950 switchs with IOS 12.1.20 ( EA1a ) had this problem, but newer or older IOS did not have this problem. Can you verified IOS version of the switchs?


Best Regards,


Jackson Ku

jschweng Mon, 11/05/2007 - 06:33
User Badges:

Our access switches are running 12.2(25)SEB2. These switches do not have this error message but our Core and Distribution (6500 series) do. They are running 12.2(18)SXE1.


After making the change to the ANIServer.properties file, the error messages are gone. I'm not sure why the version of IOS matters.

Joe Clarke Mon, 11/05/2007 - 07:16
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If the problem is only with the 2950 switches, and you are using SNMPv3, then this is expected since the 2950s do not support SNMPv3 contexts. Other than that, the same caveats I mentioned earlier apply.

Joe Clarke Wed, 03/12/2008 - 18:15
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The reason you're seeing this is due to a lack of MST support in SNMP for the 2950s. You need to upgrade to 12.1(22)EA11 to get this support.

o_z_l_e_m Fri, 03/14/2008 - 04:04
User Badges:

I have the same problem on cisco WS-C6513, I cant see any problem about the snmp strings but there are a lot of %SNMP-3-AUTHFAIL logs on the cisco device for HPOV NNM IP address.

Joe Clarke Fri, 03/14/2008 - 09:02
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This thread is getting too cluttered. You will need to start a new thread describing this issue. Include your version of Campus Manager, version of software on the switch, and you should get a sniffer trace of SNMP traffic to the switch when the authFail messages are being generated so the community strings and objects being polled are known.

Actions

This Discussion